Aug 30 2021

Kevin’s Key Takeaways – Impressions from HIMSS21

We need the CIA to infiltrate Boards of U.S. Hospitals… sorta.

Of the key security principles that every cyber expert agrees are still in play, Confidentiality, Integrity and Availability, hospitals focus on Availability because it is the fastest method of improving patient care (please and thank you). Confidentiality and Integrity are more on the wish list.

The healthcare industry, particularly hospital systems, were already plagued with a low tolerance for investment into cybersecurity, and now they need more than they’ve ever had, and they still don’t. This must improve.

It sounds like an unfair statement, yet here are just a few factoids we learned at the HIMSS 2021 Global Health Conference in Las Vegas earlier this month:

  • Telemedicine is up 7,000%.
  • Cyber attacks against hospitals jumped 500% since COVID-19 started.
  • 70% of hospitals experienced a “significant security incident” within the last year
  • Healthcare orgs take an average of 236 days to detect a data breach, and 93 days to mitigate the damage
  • There are more IOT and connected devices in hospitals than ever before, including Amazon Alexa’s in patient rooms.
  • More hospital workers are remoting in from home than ever before
  • Severe lack of endpoint protection on assets, including those used by remote workers

And, to be fair – I’ve traveled the world, and one thing that always gives me comfort is the above average consistency of patient care when you need it most. [I realize there are countless sources that talk about the poor healthcare system in our country, but I’m talking solely about the average patient care provided by hospitals.] We have a huge country with a large population with diverse needs, so not every hospital is the one you need. But the specialty care you might need is not far away.

Hospital boards need to approve more spending on cybersecurity. You don’t need to wait for your watershed moment, it’s been happening year over year. Lean on the CIA triad because it preaches a layered defense, something every expert including us have been shouting from rooftops for years, it’s even in our namesake. [ Outstanding primer to CIA Triad here ]

The good news is you can layer in your security defenses, because it’s not about perfection, it’s about progress; moreover, resilience. Attacks will happen. Human error is constant. But you have to spend some time and budget to figure out the right combination that works for you because no two hospitals are alike.

What can the cybersecurity industry do to help?

  • We can make it less expensive to perform our services so that the tide rises all boats.
  • Technology providers can make their products easier to implement and offer free training.
  • We can be transparent about what we’re doing so that no one is operating in a black box.
  • The cyber insurance industry could also step up by making smarter policies that actually pay out so that it benefits the hospital systems.

We plan to post a more formal analysis of this situation and the solutions. Stay tuned.